SEC and HIPAA Compliance on Email Archiving
All businesses today are required to archive emails per the laws applicable to them. Email archiving is a process of storing email communications in a digital format so that they can be searched, indexed, and retrieved whenever needed. Instead of being distributed around the business departments, an archived email is encrypted, typically compressed, and stored in a central location. This minimizes the attack surface and makes managing older emails containing a plethora of sensitive data easier. Email archiving also helps keep track of when and where the emails were sent, who sent them, and who received them.
The United States Government mandated email archiving by including the Electronically Stored Information (ESI) in the 2006 update of the Federal Regulations on Civil Procedure (FCRP). Rule 34(a) of the update expects emails to be discoverable. Similarly, Rule 37 states that organizations must demonstrate that they have appropriate email retention policies in place to put litigation holds on data and ensure it is not destroyed inappropriately.
Similar state and federal regulations apply to all private and public sector businesses. However, these regulations are stricter for highly regulated industries, such as finance and healthcare. Nonadherence to these federal and state regulations may result in harsh penalties for the company and individuals.
Email Archiving in the Finance Sector
The finance sector plays a vital role in the economy, welfare & security of the state. Therefore, rules for the companies in this sector must be harsh. One such rule is section 17a-4 of the Securities Exchange Commission (SEC). It requires financial statements, transaction records, and other communications relating to the business to be held in an easily accessible form for a total of three years.
Financial Industry Regulatory Authority (FINRA)’s Rule 3110.09 (Retention of Correspondence and Internal Communications), states that investment companies, brokers, and dealers must do the same.
Furthermore, according to Sarbanes Oxley Act (SOX) Rule 210.2-06, auditors must save any communications and associated documents relating to a SOX compliance audit that contain findings, views, analysis, or financial facts.
Email Archiving in the Healthcare Sector
Like the finance sector, the healthcare sector also deals with a lot of sensitive data and therefore has to adhere to several regulations. One such rule is the Health Insurance Portability and Accountability Act (HIPAA). Though this act does not explicitly mention email retention in the healthcare industry, several restrictions apply to specific categories of data. Individuals might, for example, request a six-year accounting of all protected health information (PHI) disclosures. If a written notice regarding security or privacy policy change is necessary, it must be kept for six years.In general, HIPAA-covered organization might benefit from an email retention system if only to demonstrate that no PHI was exposed via email.
Conclusion
There are numerous instances when legislation and regulation may not expressly mandate email archiving as a solution but could include additional provisions, such as California’s SB1386 which requires companies to inform customers of a data breach. Therefore, email archiving is a viable option to safeguard the old emails as it can also provide businesses an irreversible record of any emails.
Having said that, a comprehensive email archiving solution may provide a fundamental level of security for companies as requirements change and frequently increase. While it is undoubtedly a valuable took to reduce risks, it is not a remedy to all issues related to information management. In fact, it is a valuable tool that can help reduce compliance risks associated with emails.
Comments
Post a Comment