Global Compliance Initiatives: What do They Mean for Me? :: The Compliance Authority - Insights, Perspectives, and Best Practices in Compliance Management for Business and Large Organizations

Global Compliance Initiatives: What do They Mean for Me?
BY ROB AYOUB,
industry manager—network security, Frost and Sullivan

The compliance acronyms roll right off our lips these days: HIPAA, SOX, PCI. All these and many others are top-of-mind to executives and practitioners throughout the industry. What about the European Union Directive 2002/58/EC, or India's Information Technology Act? As the need to protect data moves from a local to a global concern, many governments are taking notice and have implemented their own versions of data-protection laws. While there are strengths to having this legislation in place, there are several hazards that organizations must be aware of when considering doing business in other countries.

Best Practices Are Not Regulations
Many organizations have spent a great deal of money improving security practices. There has been constant media attention to and subsequent loss incurred by organizations who've failed to safeguard their data. This brought security to the fore for many executives, many of whom are beginning to pay close attention to the security posture of their companies. Unfortunately, having solid security practices in place does not necessarily make those organizations compliant. It's important for organizations to understand the difference between implementing security as a best practice and implementing it for regulatory compliance. Take as an example message archiving, which for many organizations serves as both a best practice and a requirement for regulatory compliance.

Message Archiving: Best Practice vs. Compliance Requirement
Depending on the nature of a business, message archiving needs can range from archiving e-mail solely for disaster recovery to archiving all messages to comply with government-mandated regulations. Although on the surface these results appear similar, they are distinct and must be addressed differently.

Message archiving for disaster recovery is focused exclusively on getting the messaging platform up and running again after an e-mail server crash. These archives will commonly be made once a day, or in some cases less frequently, and will be stored offline on tape media for about 30 days. Due to the time gap between system backups, when an e-mail server is taken offline for unscheduled maintenance, messages that were sent and received since the previous backup can be irretrievably lost. In many businesses losing a few emails, while potentially damaging, is not considered disastrous.

To comply with the law or rule when message archiving, regulated markets require that all messages be archived and retained for several years. Furthermore, regulations pertaining to message archiving generally do not provide for leniency due to messaging infrastructure failures. In short, all messages must be captured and retained for multiple years. If they’re not, the organization may face financial penalties and, in some cases, criminal charges based on the severity of the situation.

The primary difference between archiving for compliance and message archiving as part of a security best practice is highlighted by the following vertical-specific regulations that describe message archiving requirements specifically:

Automotive
The Transportation Recall, Enhancement, Accountability and Documentation Act (TREAD)
This law requires automotive manufacturers and suppliers to retain substantial amounts of product information for nine years. This includes documentation e-mailed to dealerships, owners and lessees. It also requires that all consumer complaints regarding systems and component parts be retained, including complaints received via e-mail.

Aerospace and defense
Arms Export Control Act (AECA)
The AECA requires a five-year record-retention period for all companies exporting controlled technologies abroad. Because the office of Defense Trade Controls fails to outline what types of online record-keeping systems are appropriate, all communications, including e-mail, should be retained.

Commercial aviation
Title 14 of the CFR for aircraft maintenance
Title 14 of the Code of Federal Regulations (CFR) requires an air carrier to retain aircraft-maintenance records and records of total time in service for the airframe, engines and propellers. The Federal Aviation Administration requires that all necessary maintenance records be retained to prove airworthiness, which includes any e-mails sent regarding maintenance issues.

Financial services
SEC 17a-4, NASD 3010, NYSE 342, Gramm-Leach-Bliley Act
(the Financial Services Modernization Act of 1999)
In each of these rules and regulations established by the Securities and Exchange Commission, the National Association of Securities Dealers (NASD), the New York Stock Exchange (NYSE) and Congress, respectively, the financial services industry is specifically instructed to
retain e-mail and make it available on demand by government agencies, the courts or self-regulating organizations (such as the NASD or NYSE).

Healthcare/pharmaceuticals
FDA—Title 21, Part 11
This piece of legislation sets forth criteria on what the Food and Drug Administration (FDA) considers electronic records and minimum guidelines for the retention of electronic records, including e-mail, over multiple years.

All public companies
Sarbanes-Oxley (SOX)
Sarbanes-Oxley, also known as the Public Company Accounting Reform and Investor Protection Act of 2002, requires corporate officers to not only ensure that financial information is accurate, but also to maintain it under significant internal controls. This means Excel spreadsheets that can be attached to e-mail and discussions of financial results via e-mail fall under this regulation and therefore must be retained to aid in any future litigation discovery process.

Regional Influence in a Global Workplace
As mentioned, the difference between security practices
and regulatory compliance can vary significantly. That’s exactly why there are significant implications when organizations are forced to adhere to a variety of regulations.

Actions that may be acceptable under one regulation could draw a fine in another country under a different regulation.

Below is a list of several country-specific regulations relating to data security. All organizations, regardless of industry, should look at the list, identify the countries they do business in and consider whether they fully understand the regulations they may be required to follow.

Conclusion
Regulatory compliance has proven to be a challenge for many organizations over the years. With more countries adopting privacy and data-protection laws, organizations will be forced to implement stricter controls to comply in all regions. The best advice is for organizations to determine the strictest regulation for each security area—archiving, data loss prevention, encryption, etc.—and work to satisfy those requirements. One can only hope that eventually there will be more regulations with global reach that will standardize the controls necessary for organizations.