Regulatory Compliance for Electronic Communications
What is regulatory compliance?
Regulatory compliance refers to the practice of remaining up-to-date with federal and state laws which regulate the way business should be conducted. It describes a goal that organizations aspire to achieve, no matter the type of business involved.
How does it apply to business communications?
Most business communication is handled electronically these days, whether through email, social media platforms, or otherwise. In fact, it’s estimated that 3.7 billion people worldwide use email daily, approximately half of the world’s population. Because of this, regulations regarding the retention of documentation and records applies to the interactions handled electronically in the workplace.
To fully meet regulatory compliance standards, all records and other pertinent data must be kept in a manner that allows for it to be recalled at any time, and quickly. All records should be classified as immutable, original content, not replications, so that the integrity of the information within can be ensured. Simply put, it should be guaranteed that all the Electronically Stored Information (ESI) from an organization contains only original records and communications, and that no user has the capability to access and compromise the stored files.
What are electronic communications?
The term electronic communication refers to email, instant messages, text messages, social media correspondences, and any other interaction between two or more parties requiring an electronic device. The data contained within the messages must have been communicated through the use of a personal device, such as a personal computer, a smartphone, etc., meaning any message sent or received in this matter is considered official record.
What should be covered for compliance regarding electronic communications?
In order to be considered in full compliance with regulatory standards in today’s world, organizations that communicate in any way (internally or externally) must have a system in place to capture any and all emails sent and received using the email system. This can be effectively put in to place with the use of an external archiving system dedicated to preserving business communications.
Email archiving is the process of preserving and making searchable all email to and from an individual, with no user choice as to what is saved and what is discarded.
To fulfill requirements, these systems must preserve records in a “non-rewriteable, non-erasable format,” and be able to automatically verify the quality and accuracy of the storage media recording process. The system must also possess the capacity to readily download indexes and records preserved on the electronic storage media to any medium acceptable as required by federal and state regulation standards. Additionally, it means that every communication should be stored and retained for at least the minimum amount of time outlined in an organizational retention policy; the process within an organization to record the information contained in these interactions must be adequately addressed within written supervisory policies and procedures.
Engaging the customer is a vital part of business, and more and more companies are using social media to reach their consumers in a direct and personal way. While there are key advantages to using social media, like generating low-cost leads, receiving important feedback from your audience, and reaching potential customers, there are also pitfalls when your social media compliance is an afterthought. Like other communications, social media is subject to the same rules that protect consumers against fraudulent advertising and claims, and the preservation of these communications should also be considered an absolutely necessary practice. Here is a brief list of regulatory authorities which impose rigorous guidelines for social media activity in all businesses:
When it comes to social media, it’s not surprising that regulated industries and governmental agencies face more challenges. Some of the pitfalls facing regulated businesses are due to a lack of documentation and supervision, as well as mandated content requirements. These businesses generally have strict directives when it comes to record-keeping, supervision, suitable language and content while government agencies must comply with open records requirements.
Regulated businesses need to routinely monitor the content in all social media posts and be prepared for audits by one or several agencies. In the case of the financial industry, which sees the most incidents of social media compliance issues, businesses are required to maintain all posts for three years by FINRA, SEC, FTC, and others. Additionally, content must be reviewed and approved by a principal in the business and the content of each post must adhere to industry standards.
By implementing an archiving solution, you will be audit ready while complying with industry regulations. All social media posts will be automatically archived daily and securely stored, guaranteed to meet data integrity and authenticity requirements set forth by the Federal Rules of Civil Procedure (FRCP).
A social media archiver is not for surveillance of personal accounts of your employees and all that they do in and out of work, rather it is assurance that accounts associated with your business are acting appropriately.
What happens if you aren’t compliant?
It is possible that some administrations lack the basic understanding of what their regulatory obligations for retention encompass. If a federal court orders electronically stored information related to any of the federal laws listed above and you are not able to produce them, there can be dramatic consequences, which can be crippling to organizational reputation and individual careers alike. The potential outcomes for non-compliance are numerous, and devastating:
Audits are a part of nearly every business organization, no matter what department they involve. Communications within and outside a company are always subject to being part of an audit, making the retention of the information found in these messages something which needs to be kept and stored in the inevitable event of an audit.
In the event of any Open Records requests, litigations, or other legal issues, an inability to find information promptly is extremely difficult to manage. Without the ability to search on a detailed level across all desired mailboxes at one time, an organization can’t meet compliance standards for promptness of disclosure.
The retention and preservation of this ESI is increasingly important, because any information contained within electronic communications is considered official record in a court of law. Because of that, it is potentially subject to use as evidence in lawsuits or litigation which are levied upon the organization.
As penalties for infractions, most organizations face significant fines. Fines resulting from non-compliance sanctions can total in the billions of dollars, depending on the size of the organizations involved and the scope of the infractions. Whether handled on a personal level or through the organization itself, these can cause irreparable damages to financial stability of those involved. The harm caused by fines like that can be insurmountable, and has in the past proven to be the downfall of several corporations.
Potential Jail Time
There also exists the possibility that the penalties for non-compliance include even more serious sanctions. Often coupled with fines, several cases have resulted in jail sentences, sometimes of more than 10 years.
A lesser understood aspect of dealing with regulatory compliance failures is the impact it has on the reputation of the organization involved. Reputational risk refers to the loss resulting from damages to a firm’s reputation, whether in lost revenue, increased operating, capital or regulatory costs, or destruction of shareholder value. Regardless of whether or not they are found guilty, the effects of being caught up in these types of situations can call in to question a level of corporate trust, affecting the financial well-being of an organization, as well as the respect your business might hold throughout your community.
The damage caused to a company’s reputation within their business community can be equally as detrimental as the damages caused by financial penalties. In some cases, it can cause the relationships held between individuals and organizations to deteriorate to an irreversible point, and has, in extreme cases, been the downfall of organizations.
Who enforces regulatory compliance?
This culture, which necessitates that anything communicated that’s even remotely relevant be retained, began further back than many realize. The laws that led to current regulatory compliance requirements began as early as 1950, and through time have grown to incorporate several different organizations which are set up to monitor and maintain the retention and storage of ESI.
What most organizations fail to realize is that they must be compliant with every industry’s standards, not simply within their primary industry. The tendency most people have is to inadvertently neglect the standards which may apply to them in other sectors of business, and how that crossover would affect the way they catalog their business procedures. For example, an organization which is contracted to work for a governmental entity must meet all the regulation standards which apply to the government in addition to the regulations laid down by their primary industry.
The following groups are tasked with monitoring their respective areas of business operations and have separate specific regulations which they enforce:
Federal Rules of Civil Procedure
The Federal Rules of Civil Procedure governs the collection of electronically stored documents, including email as evidence in civil suits. They specifically stipulate that all organizations, “…manage their data in such a way that this data can be produced in a timely and concise manner when necessary, such as during legal discovery proceedings.”
In other words, all businesses must retain a data retention policy for all relevant emails, ESI, network logs, and other virtually stored documents. If your company cannot present the documents when requested, the subsequent non-compliance with FRCP regulations can result in fines and fees, and in some cases, with criminal charges.
An effective email archiving system eliminates the risk of litigation if your company needs to produce email documents for a civil suit. Implementing email archiving allows you to quickly retain any data that is stored in the system, meeting all FRCP legal requirements.
Financial Industry Regulatory Authority
The Financial Industry Regulatory Authority (FINRA) is the largest independent regulator for all securities firms doing business in the United States. It is not a government entity, and therefore cannot levy jail sentences as penalties. However, the fines they impose can reach excessive amounts in totality.
In 2016, FINRA shattered self-regulatory records from 2014, with the total amount of fines administered jumping to a high of $176 million. This represented an 87% increase from 2015 ($94 mil.), and a 31% increase from the record ($134 mil.) in 2014. This was due to the significant rise in the number of “supersized” fines which are fines totaling over $5 million.
FINRA fined 12 Broker-Dealers a total of $14.4 million for a “failure to maintain” their electronic broker-dealer and customer records in a format that prevents alteration of the stored media. This format is commonly referred to as “W.O.R.M” (write once, read many), which means the archived media is copied once and never touched again.
In 2015, FINRA hit Scottrade Financial with a $2.6 million fine for “ failing to retain a large number of securities-related electronic records in the required format, and for failing to retain certain categories of outgoing emails.”
Securities and Exchange Commission
Sanctions levied from the Securities and Exchanges Commission are typically found in conjunction with those imposed through FINRA, and primarily impact broker dealers. They range from significant fines, to prison sentences of up to 20 years.
SEC Rule 17a-3 and 17a-4 specify the minimum requirements with respect to records that broker-dealers must make and how long those records and other official documentation must be retained. Specifically, rule 17a-4(f) states that records required under 17a-3 must be immediately produced or reproduced on electronic storage media that meet the conditions set forth. Additionally, it stipulates that broker dealers maintaining their electronic records are required to use a digital storage system, specifically one that “preserves the records exclusively in a non-rewritable, non-erasable format.” This archive must also be able to automatically verify the quality and accuracy of the stored media, serialize the original or duplicated media by time and date for their required retention period, and it must have the capacity to readily download indexes and records preserved on the electronic storage media to any medium required.
The SEC also strictly enforces compliance in international business dealings, specifically using the Foreign Corrupt Practices Act (FCPA), accounting for both bribery and accounting provisions. The legislation was intended to eliminate the possibility of companies and their supervisors influencing foreign officials in any way. In 2016 alone, 27 companies were forced to pay out $2.48 billion to resolve FCPA cases, a record number both in resolution amounts as well as actions enforced.
In 2011, Raj Rajaratnam, founder of the hedge fund Galleon Group, was convicted of 14 counts of securities fraud and conspiracy, resulting in fines of over $150 million and 11 years in prison.
Also in 2011, Zvi Goffer, who formerly worked for Galleon Group and went on to co-found Incremental Capital LLC, was sentenced to 10 years in prison and fines of over $10 million because of a litany of infractions, including bribing lawyers and informants for insider information.
Notably, in 2003, Martha Stewart was charged by the SEC for obstruction of justice and securities fraud – insider trading – among other things. In 2004, she served five months in a federal prison after settling with prosecutors on lesser criminal charges.
Health Information Portability and Accountability Act
The Health Information Portability and Accountability Act (HIPAA) is an important piece of legislation that addresses the issue of safe-guarding data/security with regards to someone’s private medical information. The implementation of HIPAA has had a significant impact on how companies, regardless of industry, do business. New rules and standards for privacy over a person’s health information apply to insurance companies, employers, pharmacies, doctor’s offices and hospitals, to name a few. HIPAA protects all individually identified health information (e.g., it has associated information such as a name or address that might allow someone to identify the individual whose health information is being discussed), in any media (paper, electronic, oral). This information is referred to as “personal health information”, or PHI.
Penalties for HIPAA violations increase in severity depending on the number of offenses. Violations occurring for the first-time result in fines ranging from $100-$50,000. For second-time violations, the resulting consequences span from fines of $1.5 million and over, to potential jail time. Violators will receive up to a year of prison time if it is found they “knowingly obtain or disclose individually identifiable health information.” If it is discovered that the offenses were committed under false pretenses, the resulting prison sentence can be upwards of 5 years.
There are several examples of significant penalties being handed out for HIPAA violations.
regulation of financial practice and corporate governance. Specifically, it targets fraudulent financial reporting and suspect business practices, cutting down on allegations of document altering and destruction during legal procedures. This affects the financial side of corporations by mandating rules for document retention and the storage of electronic information, explicitly that documents must be retained for a period of five years.
Section 802 (a)(2) of SOX deals with the penalties and fines which are imposed for altering, destroying, mutilating, concealing, or falsifying records with the direct intent of influencing a legal investigation, specifically referring to “documents that form the basis of an audit or review, memoranda, correspondence, communications, other documents, and records (including electronic records) which are created, sent, or received in connection with an audit or review and contain conclusions, opinions, analyses, or financial data relating to such an audit or review….” The penalties can range from fines to jail time of up to 10 years, or a combination of both.
Beginning in 2011, Wal-Mart was under investigation for bribery involving foreign officials in order to fast-track their aggressively expanding network of stores. After almost five years of litigation, as well as approximately $837 million in legal fees and internal investigations, Wal-Mart executives settled on a resolution of over $300 million.
In 2007, Steven Garfinkel, of DVI, Inc., plead guilty to violations of the Sarbanes Oxley Act involving mail fraud and the false certification of financial reporting. He was sentenced to 30 months in jail, and to pay $51 million in restitution.
Freedom of Information Act
The Freedom of Information Act (FOIA)specifically refers to a federal law which allows for the full or partial disclosure of previously unreleased information and documents controlled by the United States Government. It outlines which records are subject to disclosure and the procedures for disclosing the information within those records. While having been in existence since the mid-1960’s, the scope of the information which can be requested was extended to include the use of electronically stored media. The act itself requires agencies promptly make available any and all information which is being requested and is subject to disclosure. This requires governmental agencies to retain all communications and instructions, due to their potential subjugation to litigation or other legal proceedings.
This specific FOIA is explicitly applicable to the Federal Government. There are separate Open Records Requests which have been implemented to regulate state governments.
A dedicated email archiving solution provides your organization with the ability to satisfy a variety of State and Federal Regulations. Third party email archiving solutions provide storing, searching and retrieving capabilities which enable your compliance officer to manage emails in accordance with your organization’s specific legal requirements. These solutions are capable of securely storing all the email communication, including both internal and external emails. Email Archiving also provides the ability to quickly search the relevant emails for review and retrieval for any potential legal situations.
Quick Tip from Intradyn:
Find the strictest regulations, across all industries, and become compliant with those standards. If you are compliant with these rules, you are certain to be compliant with any lower level of regulation. The Intradyn Email Archiving Solutions guarantee this level of readiness and prepare your organization, should anything happen.
Best Practices for Regulatory Compliance
Choose an archiving solution.
Organizations around the world are now accessing and using multiple electronic communications platforms within the workday. On average, 28% of the work week is spent handling electronic business communications. These platforms allow employees to send and receive information in real-time, both within the company and to peers working in other organizations. With more and more of these platforms being launched regularly, monitoring communications for compliance sake has never been more difficult.
The importance of this data will only increase, as is evidenced by the numbers found in this report done by The Radicati Group, Inc.:
Retaining all of this critically important data is the first step in remaining compliant across all industries, and fortunately, there are various solutions designed solely for archiving emails, social media correspondence, and the information contained within, allowing your company to identify which is best for you.
How do you determine which solution fits your needs?
It is vital for organizations to develop a platform designed to ingest vast volumes of data and store all of it in a compliant manner. These systems have to be able to capture all regulated communications and archive them in a way which demonstrates that they are authentic representations of the original communications.
Essentially, two distinct types of archiving solutions exist to help accomplish this: “in-house” or “on-premise” solutions; and “external” or “hosted” archiving solutions. Recently, the demand for hosted archiving solutions has increased, especially in regard to the use of cloud-based systems. However, comparing these two types of systems is imperative when selecting the best practice for retaining your organization’s information.
An on-premise email archiving solution requires the purchase, setup and management of the related hardware, software and services to run it. Storage needs must be estimated and paid for them initially, which requires determining the de-duplication rate (single-instance storage) of the archive. Running and maintaining the system for the full-length of the longest retention period or litigation hold becomes an ongoing task for your IT department. On-premise solutions tend to be more ideal for larger organizations. Companies with the necessary budgetary and staffing resources may prefer on-premise solutions because they want to have complete control over their archiving infrastructure and manage the system internally. For organizations that want their data literally within their four walls, an on-premise solution makes sense.
Hosted archiving solutions don’t require companies to purchase and deploy any additional hardware or software, nor do they necessitate ongoing maintenance time or complex upgrades. They incur all the upfront cost of implementing the solution and provide you with worry free access to your data. In time, they upgrade their infrastructure behind the scene and keep the service up for the end users. They usually have dedicated resources for monitoring the cloud infrastructure. Overall, cloud service removes the burden from the business to the vendor. Some solutions offer unlimited storage, which is another benefit.
Storing archived data in the cloud can be cost-effective when compared with storing and maintaining large amounts of nonessential data in-house. Using external solutions, such as cloud-based archiving, alleviates the need for buying and upgrading on-premises disk or tape hardware systems and archiving software to manage and store non-primary data. An organization can reduce its data center footprint and use less power and cooling resources by storing data in the cloud. When looking for a cloud archiving provider, organizations should consider the providers’ service-level agreement for data recovery, what tools are available to find data when it is needed, whether the cloud has a self-service portal, if the cloud meets all the customers’ compliance requirements and if the application that stores the data is supported.
Implement a concrete retention policy.
Aside from where your information is stored, deciding what to store and how long to store it can be just as crucial to compliance as anything else. The email retention policy should be governed by your corporate governance and comply with industry and government regulations. An email retention policy should cover all emails sent or received by your organization. It should contain the guidelines for how long emails should be kept and how they should be removed from the email archiving solution.
One of the most important aspects of the email retention policy is that the management of document retention should be automatic. What this means to you is that emails should be removed from the system in a consistent manner without any manual intervention. This eliminates human error and decreases your liability significantly. The automation should also account for any pending cases before deleting any emails.
Having an email archiving solution helps you in complying with your email retention policy. It also assists you in automating your email retention policy. The type of retention policy your organization adopts can help to streamline and simplify your ability to remain in compliance, especially if your organization chooses to implement a hosted solution. Using the latest technology to apply and enforce policies for communications by employees, regardless of the format, provides the necessary tools for enabling compliant communication.
What information will be kept?
As stated many times before, to remain in full-compliance, all email and social media communications should be retained. The average corporate email user sends and receives around 110 messages per day. Implementing an archiving solution and establishing a policy to decide what is kept is vital to not only compliance matters, but also to an employee’s ability to effectively manage their time.
Retention policies are typically built around the compliance standards as they apply by industry. According to the FRCP, document retention applies to everything electronic (emails, directives, files, communications, and requests), meaning if your organization faces any legal situations and fails to produce any kind of electronically stored information, the results could be potentially devastating.
Who makes this decision?
Some organizations implement archiving solutions which have retention policies allowing users to decide which communications should be retained. This necessitates a tremendous amount of time and resources, requiring the physical archiving of any information an individual deems worthy of keeping.
Unfortunately, this does not keep organizations in compliance, because it leaves open the possibility of document tampering or destruction. These kinds of gaps in retention policies remain very present in today’s business culture, leaving organizations vulnerable to undetected fraud, errors, and lawsuits or litigations involving regulatory enforcement policies.
How long should information be retained?
This decision is generally wholly based on the industry your organization belongs to, as each carry their own set of federal regulatory standards. To find a full list of the minimum requirements, visit the Intradyn website. Here are a handful of applicable minimum lengths of retention periods.
Full Audit Log
Every action that a person takes with their email should be audited. An email archiving solution allows you to conduct this audit, whether it is figuring out who is deleting emails, who is looking at certain emails or who is changing emails. A top-notch email archiving solution also allows for what is known as “random sampling” — which is a suitable way to ensure you’re routinely auditing your email archiving for certain activity or behavior.
Who has accessibility to audit information?
This tool allows an administrator complete oversight of the communications taking place within an organization, as well as those between employees and the outside community. An email archiving system usually allows for the administrator of the solution to configure who has access to these logs.
Which accounts are accessible, and should be monitored and archived from?
The ability to audit electronic communications is nearly mandatory when it comes to achieving regulatory compliance. Because of that, the archiving solution implemented within an organization should be able to monitor and log the activity of all accounts; email, social media, or otherwise.
E-Discovery (Search) Capabilities
eDiscovery is a provision in federal and state statutes. Discovery is a legal process that allows attorneys on both sides to ask for information that is relevant to a case and that may lead to the discovery of other important facts and information. Parties to a lawsuit are required to provide this information in the discovery portion of the case. Intradyn’s search features allow you to simplify the audit process and streamline preparation for eDiscovery and litigation by searching posts using keywords and filters and full text. Once you have created your report, you can export your social media data to any spreadsheet.
Can you provide requested information in prompt and timely manner?
A key component of the eDiscovery process is the length of time it takes for the party in question to present the requested material. The easiest way to guarantee your archiving solution is capable of accomplishing this task promptly is by implementing a solution which features top-of-the-line search capabilities. The ability to search through an archive for a specific communication allows you to produce the exact item in question in a manner which satisfies any deadline requirements.
Is your information stored in an acceptable format, i.e., a format other than paper or hard copies?
The copies of your emails or social media communications which are stored in an archive are guaranteed to preserved exclusively in “non-rewritable, non-erasable” format, with the ability to verify the authenticity and quality of the stored media.
Can you ensure that sensitive information can be protected?
In the event that you are required to produce electronically stored information, there exists the possibility that communications which are relevant to the request contain other information which is considered sensitive or private. In these situations, some archiving solutions, like Intradyn’s, will allow the administrator to redact or hide any information that is tagged. In the Intradyn system, the administrator is able to redact information from a single message, or across an entire string of communications.
Is your archived data available for access at any time?
A fear that some users have prior to using an archiving solution like Intradyn is that they will not be able to access their information whenever they need to. There is even the fear that switching providers could lead to your information effectively being held hostage. With Intradyn, you are guaranteed that your information is always available to you.
We believe that your data is just that: yours.
Contact us for more information on how Intradyn’s eDiscovery solution can help your organization achieve regulatory compliance.