The Role Of Email Security In Meeting Regulatory Requirements
Corporate governance and regulation were one of the dominant themes of 2004 and look set to continue to be so throughout 2005. Corporate governance relates to how an organisation is run, and has repercussions for almost every department – particularly Finance, HR, Auditing, Procurement and IT. Due to the nature of the potential content of email, ranging from a simple customer query to financial projections, the use of this application demands particular attention to ensure that its management helps to secure regulatory compliance.
From the late 1990s, numerous new regulations have been introduced in both the United States and Europe, often in the wake of corporate scandals where unethical business practices fell foul of existing financial reporting and disclosure rules. The backlash from these high profile episodes prompted newer corporate compliance legislation, such as Basel II in Europe and Sarbanes-Oxley in the United States. This is now being implemented alongside the likes of the EU Data Protection Directives and the Privacy & Electronic Communications Regulation, to ensure that companies put and keep their houses in order.
In general, the relationship between email and the law is a patchy one, with a mismatch of old and new law dealing with old and new issues. There is no single law relating directly to the use of email, and yet it is touched by several pieces of legislation intended to balance the interests of privacy and human rights with protecting corporate investment and security.
For example, in the UK, the 7th Principle of the Data Protection Act requires that businesses take “appropriate measures to prevent the unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’ Although somewhat ambiguous in its definition, it essentially means that companies must protect all electronic communications containing customer data, including all emails sent and received.
It is not just customer information that must be considered. In order to be compliant with the regulations, businesses must take appropriate measures to mitigate the risk of disclosing valuable or sensitive organisational data. Unauthorised access to or distribution of financial forecasts, intellectual property or any other company-sensitive information can not only contravene legislation but may also do substantial damage to an organisation’s credibility, reputation and future competitiveness. It is also worth remembering that contracts are often inadvertently created via email – without either party realising it.
There has been a tendency for some companies to dismiss regulatory compliance as something that they don’t really need to worry about, and it’s only other businesses that need to worry. Consider then what would happen if a legal disclosure order sought access to all email sent between Mr A and Ms B over a six month. Or if as part of an investigation all emails sent by finance and HR over the past two years had to be retrieved. Unless the organisation in question has efficient email back up, search and retrieval, this is likely to be a lengthy and costly process, and failure to provide the information could have serious repercussions.
It is easy to concentrate on the seemingly negative implications of ensuring compliance – it is expensive, complicated and time consuming. However, not enough attention is given to the benefits of being compliant. Investors pay a premium for shares in companies that can demonstrate they are well governed; in the UK and US this is estimated to be around 15-20% extra on capital value. In addition, businesses that can prove they are well managed tend to attract high calibre employees and customers. So quite apart from avoiding the long arm of the law and damage to brand and reputation, exercising good governance practice has some other major advantages.
Comprehensive email management and security solutions have a vital role to play in meeting regulatory requirements. As a basic rule, companies are advised to make sure that they seek proper protection from viruses and other malicious content. They must also ensure that they have taken reasonable measures to defend personal information relating to customers and employees.
One of the most effective ways of achieving this is to use a proactive Internet level service to foster a safer working environment, offering protection against previously unknown security attacks and breaches of confidentiality. A managed service can also help companies to adhere to regulatory requirements relating to archiving, storage, back up and retrieval.
Any organisation facing regulatory compliance, a growing number, must do a cost/risk equation. There is no doubt that it is expensive to comply – both in terms of hard cash and man hours. This is another reason why many companies are turning to a managed email security service, as it offers a predictable monthly expenditure which can be easily planned for.
Ultimately much of the successful management of IT compliance lies in the effectiveness of the business processes and monitoring systems put in place. But just as prevention is better than cure, ensuring that proper email security measures are activated and maintained can go a long way to easing the burden of complying with regulations now and in the future.