What a
Company Needs to Think about to Become Compliant
Federal Statutes
The Gramm-Leach-Bliley Act:
Requiring every business
who accesses or uses a customer's personal financial information to
issue a privacy statement that notifies its customers “in clear and
conspicuous language” on an annual basis how that information is
collected and used and to comply with its stated privacy policy to
protect the privacy of such information;
The Health Insurance
Portability and Accountability Act:
Requiring every business
who accesses or uses an individual's protected health information to
issue a privacy statement that notifies such individuals on an
annual basis how that information is collected and used and to
comply with its stated privacy policy to protect the privacy of such
information;
The Sarbanes Oxley
Act:
Requiring accountants who audit or review Financial
Statements for a business to retain certain business records
relating to that audit or review; and imposing criminal liability on
any business that engages in document destruction, even if such
document destruction occurs before the business has any formal
notice of an official proceeding, and without the necessity of
proving a bad intent for the destruction, i.e., a “corrupt
persuasion.”
Securities and
Exchange Commission (SEC):
A 1997 amendment to the Securities
and Exchange Commission (SEC) Act requires financial institutions to
keep records of digital communications between broker/dealers and
customers. Records must be stored on media that are not subject to
change, are easily accessible for the first two years and retains
unchanged for no fewer than six years.
What is required to be
compliant?
Regulations today require a company's top
management to:
(a) Affirm their
ultimate responsibility for the company's internal financial
controls in writing in their annual report;
(b) Provide an
assessment of and attest to the effectiveness of those controls;
and
(c) Obtain a separate report from a third-party
auditor evaluating and validating management's assessment of the
company's controls. To achieve this it will be critical to have
controls, policies and procedures in place and
documented.
- What does this mean
for business today?
Email is no longer a novelty to conduct
business today for small or large, privately owned or publicly
traded companies
- Email is considered
admissible as a business record in a court of law by way of
defense against litigation
