3rd Element Consulting, Inc. - Wrestling with Regulatory Compliance

What is Regulatory Compliance?
Regulatory Compliance refers to systems or departments at corporations, businesses and public agencies to ensure that personnel are aware of and take steps to comply with relevant laws and regulations.

The responsibility to guard and maintain active and archival information for your organization has never been greater. Regulatory requirements have been introduced and/or modified to more clearly define roles and responsibilities for information management, as well as outline penalties for noncompliance.

The Gramm-Leach-Bliley Act

The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Modernization Act of 1999, is aimed at financial institutions and includes provisions to protect consumers' personal financial information held by these companies. It is enforced by eight separate federal agencies and the states. The GLBA provides for a fairly broad interpretation of the phrase "financial institution" and not only affects banks, insurance companies and security firms, but also brokers, lenders, tax preparers, and real estate settlement companies, among others.
There are three principal parts to the privacy requirements: the Financial Privacy Rule, Safeguards Rule and pretexting provisions.

Financial Privacy Rule
The Financial Privacy Rule governs the collection and disclosure of customers' personal financial information by financial institutions. It also applies to companies, whether or not they are financial institutions, who receive such information.

Safeguards Rule
The Safeguards Rule requires all financial institutions to design, implement and maintain safeguards to protect customer information. The Safeguards Rule applies not only to financial institutions that collect information from their own customers, but also to financial institutions "such as credit reporting agencies" that receive customer information from other financial institutions.

Pretexting Provisions
The Pretexting provisions of the GLB Act protect consumers from individuals and companies that obtain their personal financial information under false pretenses, a practice known as "pretexting."

Are you in compliance with GLBA storage requirements?
Today's interpretation of Gramm-Leach-Bliley in relation to data security extends beyond your storage device alone and, in fact, encompasses a company's policies and procedures as well as the hardware that maintains the storage infrastructure. When it comes to policies and procedures, your storage system should be protected from any and all outside and unauthorized access. It is important that you define who can access which data, and under what cir*****stances. Access to sensitive customer information should be logged to help provide accountability and provide a deterrent to insiders that threaten customer privacy. Your actual storage system should actually be secondary. As long as it's protected from unauthorized access, and you know who has permissions, when someone accessed information, and why, your company will be able to conduct business, even with Gramm-Leach-Bliley in place.

Penalties for Not being in Compliance
If you are found to be non-compliant with the GLBA, you could be vulnerable to severe fines and even subject to class-action lawsuits.

Take the following penalties into consideration:
* Institutions can be subjected to civil penalties of up to $100,000 for each violation
* The officers and directors of the institution could be subject to, and personally liable for, a civil penalty of up to $10,000
* Possible imprisonment for up to five years

The Sarbanes Oxley Act

The Sarbanes-Oxley Act (SOX) was signed into law on July 30, 2002 in response to corporate scandals such as Enron, WorldCom and . Sarbanes-Oxley has been called by many the most far-reaching U.S. securities legislation in years. The Act mandated a number of reforms to enhance corporate responsibility, enhance financial disclosures and combat corporate and accounting fraud, and created the "Public Company Accounting Oversight Board," also known as the PCAOB, to oversee the activities of the auditing profession. Now, all companies required to file periodic reports with the Securities and Exchange Commission (SEC) have new duties for reporting and corporate obligation.

Non-compliance comes with significant penalties. For example, altering, destroying, concealing or falsifying records or do*****ents with the intent to influence a federal investigation or bankruptcy case is subject to fines into the millions and up to 20 years imprisonment.

HIPAA

The American Health Insurance Portability and Accountability Act (HIPAA) took effect on April 14, 2003 and is a set of rules to be followed by health plans, doctors, hospitals and other health care providers. HIPAA called upon the Department of Health and Human Services (HHS) to publish new rules that will ensure:

* Standardization of electronic patient health, administrative and financial data
* Unique health identifiers for individuals, employers, health plans and health care providers
* Security standards protecting the confidentiality and integrity of "individually identifiable health information," past, present or future.

In the health care and medical profession, the great challenge that HIPAA has created is the assurance that all patient account handling, billing, and medical records are HIPAA compliant. Some provisions of the HIPAA involve patient / hospital interaction. For example, patients must be able access their record and correct errors and must be informed of how their personal information will be used. Other provisions involve confidentiality of patient information and do*****entation of privacy procedures. It is these provisions that have led to regulation-specific software updates, specialist consulting, and in some cases complete overhauls of medical billing and records systems.

Most entities have 24 months from the effective date of the final rules to achieve compliance. Normally, the effective date is 60 days after a rule is published.

Penalties for not being compliant:
HIPAA Noncompliance can have devastating consequences. It not only opens you up to severe fines and penalties, but also to litigation and negative publicity. Non-compliance can result in the following:

* Civil fines of up to $25,000 a year
* Criminal penalties reaching $250,000 and up to 10 years in prison

FACTA

On June 1, 2005, the FTC's rule on the proper storage and disposal of certain "consumer information" went into effect. This rule was issued by the FTC as part of its jurisdiction under the Fair and Accurate Credit Transactions Act or FACTA. FACTA became law on December 4, 2003. enhanced the ability of consumers to combat identify theft, to increase the accuracy of consumer reports, and to allow consumers to exercise greater control regarding the type and amount of marketing solicitations they receive. It also restricts the use and disclosure of sensitive medical information that is contained in a consumer report. In addition, to promote increasingly efficient national credit markets, FACTA establishes uniform national standards in key areas of regulation regarding consumer report information.
This latest FACTA rule requires any business "that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose" to "properly dispose of such information or compilation." The rules for what constitutes "consumer information" and its proper disposal can be confusing at best and the penalty for non-compliance can be steep.

Penalties for not being compliant:
If you are found non-compliant, you could be vulnerable to severe fines and even subject to class-action lawsuits.

Take the following penalties into consideration:
Civil Liability - Actual damages sustained if identity is stolen as a result of corporate inaction. Or statutory damages up to $1,000 per employee.

Class-Action Lawsuits - If large numbers of employees are affected, they may be able to bring class-action suits and get punitive damages from employers.

Federal Fines- Up to $2,500 for each violation.

State Fines- Up to $1,000 for each violation.