In today's business world, we are nothing without our email. Now, we don't even need to be sitting in our office to hear the ding of our inbox, alerting us that yet another message has arrived; we live in a time where smart phones are everywhere and we can have our email with us at all times. With all this new technology though, there has also come an onslaught of laws that are designed to keep email compliant with things like customer privacy, law enforcement investigations, and corporate governance. In short, the purposes of the laws are to make sure that email is being used, and managed, properly.
If you work for a doctor's office, you certainly know about HIPAA. The two rules that affect email compliance are the Privacy Rule and the Security Rule. Of the two, the Security Rule is more in-depth and essentially mirrors the Privacy Rule; its purpose is to focus on information and security best practices and revolves around the security cornerstones of confidentiality, integrity, and availability. The Security Rule focuses on everything from workstation management of information to facility access and transmission security. It is vital that any information you send via email, not speak of the patient's identity or the problem they are facing; many offices will use initials when speaking about patients via email.
In the financial industry, email compliance is governed by the Gramm-Leach-Bliley Act. Also known as GLBA, it is basically the same law as HIPAA, just for a different type of business. It is designed to ensure the privacy and security of non-public personal information as it relates to individuals financial information. GLBA's rules apply to mortgage lenders, banks, stock firms and others of the like. Within GLBA, the financial company is charged with several things: to designate an employee or employees to coordinate the information security program, to identify reasonably foreseeable risks to non-public information, to make sure their suppliers are also using safeguards, and to monitor all of the above.
On top of these two rules, there are also others. The Sarbanes-Oxley Act, also known as SOX, is watched over by the U.S. Securities and Exchange Commission. This act was designed in response to the various, and highly publicized, bogus financial reporting in the early 2000s. SOX discusses what information may leave an organization and how long the industry should keep information on file; it requires that financial companies keep emails on file for six years. Likewise, the SEC Rule 17a-4 and NASD Rules 3010 and 3110 affect email communications within the financial industry.
This is just the tip of the iceberg. When it comes to email compliance, there are rules everywhere, and your business needs to know which apply to you and how to handle them. There are several ways to handle these issues, most of which include hiring at least some type of IT security firm to develop a total information security plan that will comply with recent, and future, government email regulations.