What a Company Needs to Think about to Become Compliant

Federal Statutes

The Gramm-Leach-Bliley Act:
Requiring every business who accesses or uses a customer's personal financial information to issue a privacy statement that notifies its customers “in clear and conspicuous language” on an annual basis how that information is collected and used and to comply with its stated privacy policy to protect the privacy of such information;

The Health Insurance Portability and Accountability Act:
Requiring every business who accesses or uses an individual's protected health information to issue a privacy statement that notifies such individuals on an annual basis how that information is collected and used and to comply with its stated privacy policy to protect the privacy of such information;

The Sarbanes Oxley Act:
Requiring accountants who audit or review Financial Statements for a business to retain certain business records relating to that audit or review; and imposing criminal liability on any business that engages in document destruction, even if such document destruction occurs before the business has any formal notice of an official proceeding, and without the necessity of proving a bad intent for the destruction, i.e., a “corrupt persuasion.”

Securities and Exchange Commission (SEC):
A 1997 amendment to the Securities and Exchange Commission (SEC) Act requires financial institutions to keep records of digital communications between broker/dealers and customers. Records must be stored on media that are not subject to change, are easily accessible for the first two years and retains unchanged for no fewer than six years.

What is required to be compliant?
Regulations today require a company's top management to:

(a) Affirm their ultimate responsibility for the company's internal financial controls in writing in their annual report;
(b) Provide an assessment of and attest to the effectiveness of those controls; and
(c) Obtain a separate report from a third-party auditor evaluating and validating management's assessment of the company's controls. To achieve this it will be critical to have controls, policies and procedures in place and documented.

  • What does this mean for business today?
    Email is no longer a novelty to conduct business today for small or large, privately owned or publicly traded companies
  • Email is considered admissible as a business record in a court of law by way of defense against litigation