SECURE MESSAGING AND REGULATORY COMPLIANCE

Today’s business transactions are processed and stored digitally, using electronic messages and the Web. So it’s only natural that executives turn to technology to protect both their corporate data assets and the privacy of their valued customers and partners.

Because corporations have not always proactively protected the interests of consumers and investors, legislators have now put in place many regulations that require them to do so. Penalties can be severe for organizations and individuals - such as corporate officers and directors - that do not comply.

Many regulations are industry-specific: banks, brokerages and investment firms must follow one set of regulations; hospitals and healthcare organizations must abide by another; and government agencies, publicly traded corporations and other businesses must adhere to others.

The key privacy laws affecting message and data security are:

1. The Gramm-Leach-Bliley Act (GLBA) is designed to protect consumer privacy in the financial services sector. Failure to comply can result in fines or up to five years imprisonment. Companies are required to post privacy policies on their Web sites and send them to consumers.
2. The Health Insurance Portability and Accountability Act (HIPAA) was passed to protect consumers’ private health information (PHI). Secure management of PHI is mandatory for all healthcare organizations and practitioners. Protecting PHI sent via email or instant messages can be one of the most difficult hurdles for organizations seeking compliance solutions.
3. Securities Exchange Commission (SEC) Rule 17a-4 requires securities merchants, brokers and dealers to maintain detailed client records for at least three years (and up to 30 years) in a non-tamperable format - which today means electronic form. Under the regulation, companies must be able to promptly hand over documents and data for a thorough SEC audit or in a legal discovery process.
4. Public Sector directives call for strict information security measures for any individual or agency that uses electronic communications, such as email or IM, to share information. There is finally an easy way for them to comply.
5. Other important regulatory requirements include:

• NASD (National Association of Securities Dealers) Conduct Rule 3010 requires securities firms to tape-record and archive all the conversations and documents of registered brokers in non-tamperable formats for at least three years. Companies must also develop an internal review process to address possible or suspected violations.
• CA1798, or California Security Breach Information Act’s Section 1798, requires all organizations doing business in California to disclose any security breach of databases that store the personal information of customers.
• The Sarbanes-Oxley Act is sweeping legislation intended to improve corporate governance, financial disclosure and public accounting in the business community. The law requires accounting firms to retain certain records, including opinions, analyses and financial data, for seven years.

Appropriate technology solutions, sound internal privacy policies, by-the-book regulatory compliance and thorough corporate training are among the most effective means by which today’s executives can protect themselves and their organizations.

According to Gartner, Inc., there are five key IT areas that corporations must address if they are to secure data: security policies and architecture, security infrastructure, security administration, business continuity management and critical infrastructure protection.

Securing data in motion (email, IM, document and statement delivery) is a growing and critical concern. Before taking action, executives must research and consider several security options.