Archiving and Compliance Business Requirements
In many geographies, electronic communication has become critical evidence in both regulatory actions and in litigation. While in some environments it remains desirable to eliminate electronic records once they are no longer relevant, in many other situations enterprises need to create permanent or near-permanent records of all email communications so that they can provide definitive evidence of who said what to whom and when.
Statutes and regulations that can drive archiving requirements include Sarbanes-Oxley ("SOX"), which affects all U.S. public companies and has particular effects on financial-services organizations, as well as sector-specific regulations such as HIPAA in healthcare. Similarly, threats of litigation, including shareholder class actions as well as product liability litigation, can create implicit requirements on enterprises to retain data in order that they can prove that their internal processes were defined and carried out appropriately.
Companies that handle consumer information may be required, by statute and regulation (for instance Data Protection Acts in the U.K. and Japan and the EU Privacy Directive) and by the threat of consumer litigation, to take additional steps to prevent, or find the source of, any leak of customer information.
In addition to the common need for a definitive record of all email communication, some email, between certain groups or on certain topics, may be so sensitive that a prudent compliance policy requires that it be quarantined and inspected before being delivered. The table below provides some indication of breadth of these regulations.
| Regulation | Regulatory Organization |
Organizations Impacted |
Requirements |
|
17CFR (Code of Federal Regulations) 240.17a-4 (or 17a.4) |
Securities and Exchange Commission (SEC) |
Financial services |
Type and length of data retention, storage media requirements |
|
21CFR (Code of Federal Regulations) Part 11 |
Food and Drug Administration |
Pharmaceuticals, medical device manufacturers |
Security, integrity, auditability |
|
Basel Capital Accord (or Basel II) |
G-10 nations |
Financial services |
Reduce operational + systemic risk |
|
California Senate Bill 1386 (or SB 1386) |
State of California |
Financial services that do business in the state of California |
Protect consumer privacy |
|
Data Protection Act(s) |
European Union, UK Data Commissioner, Japanese MITI |
European + Japanese operations, global firms |
Protect privacy (particularly employees) |
|
DoD 5015.2-STD |
Department of Defense |
U.S. military branches |
Strong authentication, auditability, and encryption |
|
Gramm-Leach-Bliley Act (or GLBA) |
Federal Trade Commission (FTC) |
Financial services |
Encryption, secure backup, data destruction |
|
HIPAA (Health Insurance Portability and Accountability Act) |
U.S. Health and Human Services |
Health insurance, healthcare providers |
Privacy, security, very long retention periods |
|
Sarbanes-Oxley (or SOX) |
Securities Exchange Commission |
Public companies, accounting firms |
Reliability, data protection, data permanence to protect against alteration or destruction of data |
Other Links: Solutions and Issues |
Exchange Alternative | Linux Exchange Server | Corporate Mail | Email Cost Saving | Linux Email Server
Mail Virtualization | Mail Servers | Exchange 5.5 Migration | Sitemap
Privacy Statement | Legal Statement | ©2006-2008 PostPath. All rights reserved. 