A competent technical manager knows that his company needs to adhere to email compliance laws and regulations. Compliance however, is not easy! There is literally an alphabet soup of laws and regulations – the SOX, HIPAA, GLB and others.
In this post I offer five tips that you can use to avoid all of the common pitfalls that every technical manager, CTO or CIO has to deal with.
1. Understand Compliance
You need to understand the compliance laws that affect your country or state. The two major laws are the Sarbanes-Oxley Act (SOX) and the Health Insurance Portability and Accountability Act (HIPAA). Email regulations also exist in the Gramm-Leach-Bliley Act (GLB), Securities and Exchange Commission laws (SEC 17a) and the National Association of Securities Dealers (NASD 3010).
You should find out which laws apply to your industry. The medical and financial sectors tend to have more laws and compliance is very rigorous. In the e-commerce markets, laws tend to change very quickly and country boundaries are blurred, adding to the challenges.
Breaking the regulations can involve imprisonment in some cases, or very large fines in others, giving companies no choice than to strictly adhere to whatever compliancy laws are put into place.
The major requirements of all compliancy are email retention (email stored for a period of time), and email extraction (email can be pulled from the archive upon request).
2. Have a good Company Policy
A company policy sets down the rules that govern the organization. A good company ensures that its employees are trained in the areas that affect them. This improves their performance and helps them understand their responsibilities.
Policy sections that deal with emails and messaging should include information on which parts other relevant laws are being applied in the organization. Users should know which devices and are allowed and which ones are forbidden, and they should be told what kind of personal information is being retained.
3. Personal email accounts
It is very common these days for employees to have at least two accounts; their corporate account, and their personal account. These accounts could pose a threat to your organization. It is vital that all communication that is related to the organization is only expressed over the company’s approved email accounts because these are the ones covered by the policy.
There is an increasing trend for employees to use their corporate email accounts from their personal mobile devices. In this case you need to ensure compliance of how the device is configured and used.
4. Tools and Services for Compliancy
There is a lot of software as well as services out there that should be used to satisfy the technical requirements for compliance. When selecting email technologies and tools it is important to see which laws and regulations they cover, and whether they cover them adequately. Good email archiving software should conform too many of the email compliance standards, but in some particular situations not all packages will suit your needs, so make sure you read the software specifications before you buy.
Regulation compliance is also being offered as a service where your email traffic is archived in the cloud. When choosing these services, be diligent to where your data is hosted and the amount of control you have over it.
5. Continuous Compliance
Email compliance is a moving target. It is not enough to set it up once and forget about it. You need to continuously monitor and upgrade your email systems. Each time there is a change, compliance can be affected. New employees also need to be trained on company policies, and when policies change, existing staff need to know about the changes. Remain up to date on the latest trends in technology and keep an eye out for new trends that can affect your state of compliance.